Sponsored by..

Monday, 14 December 2015

Malware spam: "Israel Burke" / "BCP Transportation, Inc."

This fake invoice comes with a malicious attachment:
From:    Israel Burke [BurkeIsrael850@business.telecomitalia.it]
Date:    14 December 2015 at 15:00
Subject:    Israel Burke

Dear Customer:

Attached please find an invoice(s) for payment.  Please let us know if you have any questions.

We greatly appreciate your business!

Israel Burke
BCP Transportation, Inc.
I have only seen one sample of this, it is possible that the company name and sender names are randomly generated. The attachment in this case was named invoice_scan_76926455.doc and has a detection rate of 3/55.

Despite the name, this is not a Word document but is an XML document [pastebin] containing ActiveMIME data. The Malwr report for this indicates network traffic to:

109.234.34.224 (McHost.Ru, Russia)
80.96.150.201 (SC-Nextra Telecom SRL, Romania)


That Malwr report shows a dropped binary named qqqew.exe which has a VirusTotal detection rate of 5/55.

I am not certain of the payload, but I suspect that this Word document is dropping Upatre leading to the Dyre banking trojan.

MD5s:
a81a19478dbe13778f06191cf39c8143
5b1db9050cc44db3a99b50a5ba9d902a


Recommended blocklist:
109.234.34.224
80.96.150.201


5 comments:

Sandy Howden said...

JUST RECEIVED ONE HERE TOO - FROM SOMEONE NAMED LINDSAY

RPG said...

Received 2 here: Corrine Fowler & Marci Kemp.
Deleted!

Next Bubble said...

Got one here also with a different address. They are randomly assigning different email addresses. The address I got it from did not match the company of the invoice, so that is a giveaway.

eric humann said...

got one also. from Sophia Chambers, invoice_scan_26475772.doc

Jeanine said...

Well... I checked this out too late... what happens if I DID open the file? I am currently running a scan using AVG...I'm sure I opened on my Iphone as well... Am I in deep trouble??? Please help!